-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-SA-15:09.ipv6                                       Security Advisory
                                                          The FreeBSD Project

Topic:          Denial of Service with IPv6 Router Advertisements

Category:       core
Module:         ipv6
Announced:      2015-04-07
Credits:        Dennis Ljungmark
Affects:        All supported versions of FreeBSD.
Corrected:      2015-04-07 20:20:24 UTC (stable/10, 10.1-STABLE)
                2015-04-07 20:21:01 UTC (releng/10.1, 10.1-RELEASE-p9)
                2015-04-07 20:20:44 UTC (stable/9, 9.3-STABLE)
                2015-04-07 20:21:23 UTC (releng/9.3, 9.3-RELEASE-p13)
                2015-04-07 20:20:44 UTC (stable/8, 8.4-STABLE)
                2015-04-07 20:21:23 UTC (releng/8.4, 8.4-RELEASE-p27)
CVE Name:       CVE-2015-2923

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.

I.   Background

IPv6 nodes use the Neighbor Discovery protocol to determine the link-layer
address of other nodes, find routers, and maintain reachability information.
Routers advertise their presence together with various link and Internet
parameters either periodically, or in response to a Router Solicitation
message, using Router Advertisement (ICMPv6 type 134).

II.  Problem Description

The Neighbor Discover Protocol allows a local router to advertise a
suggested Current Hop Limit value of a link, which will replace
Current Hop Limit on an interface connected to the link on the FreeBSD
system.

III. Impact

When the Current Hop Limit (similar to IPv4's TTL) is small, IPv6 packets
may get dropped before they reached their destinations.

By sending specifically crafted Router Advertisement packets, an attacker
on the local network can cause the FreeBSD system to lose the ability to
communicate with another IPv6 node on a different network.

IV.  Workaround

Only systems that are manually configured to use "accept_rtadv"
ifconfig(8) flag on an interface are affected.

The system administrator may decide to disable acceptance of Router
Advertisements from untrusted network in a per-interface basis, by
removing accept_rtadv flag at run time using ifconfig(8):

	ifconfig em0 inet6 -accept_rtadv

Note that an interface does not accept Router Advertisement messages
by default even if an IPv6 address is configured.  One can know
whether an interface is accepting Router Advertisement message or not
from existence of ACCEPT_RTADV in "nd6 options" line in an output of
ifconfig(8):

	nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

2) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

3) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/SA-15:09/ipv6.patch
# fetch https://security.FreeBSD.org/patches/SA-15:09/ipv6.patch.asc
# gpg --verify ipv6.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path                                                      Revision
- -------------------------------------------------------------------------
stable/8/                                                         r281231
releng/8.4/                                                       r281233
stable/9/                                                         r281231
releng/9.3/                                                       r281233
stable/10/                                                        r281230
releng/10.1/                                                      r281232
- -------------------------------------------------------------------------

To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:

# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NNNNNN with the revision number:

<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>

VII. References

<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2923>

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:09.ipv6.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.2 (FreeBSD)

iQIcBAEBCgAGBQJVJD4CAAoJEO1n7NZdz2rn13cQANJCk2LXSX8GDHGzWnD+D5gN
rNC4Q8n9CnN80ZO/0Pk0Xx2VAtr3CKxflBTXBKISKuY+dWOzNvuUuUUkrB9SlyTj
MYpqAljnBT0JkosGGBKJwt39DjW34HWlaj9wEPr1SdIq5vQO0cXS2glVPI/CQuy3
NwnpaAmftAG4eMSYojOeodXniha/ZasFap5Zj+1dgofFHEP87zxefP2IamG1Cq72
d8YJSCD8yy51mZ7dVFM29R3FAFdMpponci31dXGb5p8pj0yzVfvI/HF1MRK+x8Nz
R0/jFOHY4TR26BfKsc4Nc6Ze7jdZHUP1qWoL2O6HiLVqws0nQp3jma7FkMrUMuui
H9kAQaIc27tJOkSK4Gdc/dwzHgb3xr2fNfOjvbUv3VNjzijTzbzKfRlVH77EAxAi
sQfUcql/toGdC/QaOlhC8+v5jHdwkLdpfRc4QdsV1rKDAA8mj068sJQS/yAig8E8
QUNmB3UK1QsX3tmy0JuDJk7tr/jjnhl2Jt9Skvm70xUiA7G05Z1qouErkIAjwikY
zQSPpSQebi3am9TtK/GViOjEVpWLYzLFYo6laR8wMw9eJsj0xlF8Qqz+0HudqfSt
lMOfpVfUmBSIxlFdiIzMBfbpLdD1gSo4oBLIYA/xw7UtDMiWi2Iji/mBY1Jg/i5V
ZCTwZmnmaVuPcsGOzv5W
=A2Am
-----END PGP SIGNATURE-----
